Hyderabad-based financial technology startup, CreditVidya, has had reportedly used third party apps like Sai Baba stories and one that streamed Ilaiyaraaja songs, to fetch sensitive user data including GPS locations and also spied over business SMSes from e-commerce sites and banks to monitor spending activity, personal contacts, and much more.

The report, by Gopal Sathe, Huffington Post, said that CreditVidya fetched “the data, scooped up from users, was used to power CreditVidya’s self-learning algorithms that help lending companies determine the credit-worthiness of loan applicants.”

CreditVidya, which counts Matrix Partners and Kalaari Capital among its investors, has ran Software Development Kit (SDKs), used to develop mobile apps, for several months in 2017 until a new version of Google’s Android operating system made it harder to scrape such data.”

In other words the fintech startup stopped the alleged snooping only when Google made it harder for Creditvidya to sustain the scam any longer.

Developed by a third party app developer Winjit Technologies (a Nashik, Maharashtra based firm), once these apps are installed users would have been asked for access permissions that are increasingly common and intrusive, but would have had no idea that their personal data was being scraped and sold further in a manner that could affect their credit-worthiness.

“Even though there might not be proper notice / informed consent, at least it’s understandable that lending apps that user uses is downloaded consciously and some might have knowledge on the fact that app,” said Srikanth L, who is a contributor to Cashless Consumer, that tracks the payment tech industry in India and provide consumer perspectives, voice concerns.

The Creditvidya SDK wa found in a Sai Baba app, Ilaiyaraaja Hits app and other music apps of popular record labels with its SDK where user is clueless about this background data collection.

Thus a user could consent to an app collecting data without knowing how such data would be used.

In a statement to Huffington, Srikanth further said, “the data from unsuspecting users as part of the huge database it uses to generate the trust score, but there is opaqueness about where this data comes from and how many data brokers were engaged in trading personal data with companies like CreditVidya.”